The Cloud Offers Opportunity for Oil and Gas Cybersecurity

You have access to this full article to experience the outstanding content available to SPE members and JPT subscribers.

To ensure continued access to JPT's content, please Sign In, JOIN SPE, or Subscribe to JPT

The rapid acceleration in the adoption of cloud services has increased the focus on cybersecurity. While data protection and privacy have always been key concerns in the oil and gas industry, they frequently have been achieved by isolating networks and strengthening perimeter defenses. However, this approach has allowed poor practices in many areas. The author argues that the advent of cloud technology should not be regarded as a further challenge to security, but an opportunity to revitalize and improve a company’s defenses dramatically.


Computer security involves a web of trust between operating systems, hypervisors, applications, networks, employees, contractors, and administrators (Fig. 1). This system must guard against intentional and unintentional breaches and attacks by malicious actors who might be individuals, corporations, or even governments. The directionality of this trust relationship is complex: for example, an application must establish a user’s identity to determine what level of trust to apply to their actions; a user must trust that an application will not distribute entered information illicitly.

Fig. 1—The web of trust in computer security.


Traditional models for network protection typically have focused on perimeter security. This focus frequently has allowed multiple attack vectors to be ignored or left unaddressed. Companies often maintain robust firewall policies alongside poor password-management practices. In addition, many commercial software packages for the industry have implemented their own authentication systems, making a multiplicity of different user identifiers and passwords unavoidable.

Defining the Cloud

The cloud is not, in and of itself, about technology. Fundamentally, it is about a different approach to the consumption of computing services, one in which services are provided on a utility basis. A 2011 paper authored by members of the US National Institute of Standards and Technology (NIST) provided one of the most commonly cited definitions of cloud computing. Their five essential characteristics of the cloud are not about technology, but about the nature of the service.

  • On-demand self-service. This means that consumers (or end users) can provision computing capabilities, such as servers and storage and application features, without needing to contact a service provider.
  • Broad network access. This characteristic implies that the access to services is through standard mechanisms and does not require specialist or proprietary technology.
  • Resource pooling. Resources such as computing power or network storage are shared among multiple users or tenants.
  • Measured service. Use of computing resources is measured and controlled to benefit the provider and the consumer.
  • Rapid elasticity. The resources provisioned by a user, in a self-service model, can be scaled up or down to meet demand in an apparently unlimited fashion.

Few organizations will have the demand or the ability to deliver a service to their internal users with these five characteristics. Resource pooling and multitenancy are essential in delivering elasticity in an economical fashion, and these require a scale of operation that few companies possess. Further, significant effort is required to maintain the infrastructure to offer metered use of resources that are provisioned dynamically by users in a self-service model. For most companies, information technology provision is a necessity, not a strategic investment. The public cloud should almost certainly be the first choice for every oil and gas company.

One further point is worth making. Cloud customers should be aiming to purchase service, not software. The fact that many companies manage their own infrastructure, and the security thereof, is a historical artifact, not an invitation to replicate existing practices in a public cloud environment.

Risk Assessment and Information Security

Mitigation does not imply prevention, but it can reduce the effect of an occurrence. For malicious deletion of files, one might invoke backups as a mitigation. To mitigate the potential for a malicious individual to delete both files and their backups, a set of access rights could be implemented such that groups of users only can access either the files themselves or their backups, but not both.

Many risk registers suggest monitoring a situation or risk as a mitigation, but this makes little sense. For example, while monitoring for network breaches is essential, it is without value unless it is supported by a detailed plan for recovery when the breach occurs. Otherwise, it is inaction, not mitigation. A proper risk assessment establishes not only the potential causes of a breach, but also the effect and mitigation of a breach even if no cause can be identified.

There are no absolutes in security; there are only risk evaluation, mitigation, assessment, testing, monitoring, and remediation. Indeed, starting from the assumption that a breach is inevitable is a best practice, not an admission of failure. In every single case, the question is: “What is the mitigation?”

Considering Risks. On the basis of experience gained with a variety of companies, the author states that it is common to find on-premises systems that feature weak security practices such as the following:

  • Inadequate separation of roles in systems use and administration
  • Inadequate management of digital certificates
  • No encryption of data at rest
  • Insecure data in flight
  • Unmonitored systems access
  • No detection processes for unusual or invalid access or network activity
  • Inconsistent patching of systems and firmware
  • Lack of centralized management of audit trails, including logs
  • Inadequate change management
  • No requirement for two-factor authentication for internal systems
  • Limited or nonexistent support for single sign-on

Not all companies suffer from all of these problems, but the author’s experience has been that most companies suffer from one or more of them. Unfortunately, it only requires lax security in one or two areas to incur the potential of a serious breach.

Moving applications to the cloud does not solve any of these problems. Indeed, bad practices, like poor password policies, easily can be carried from one to the other. However, the major public cloud platforms do provide tooling to make it relatively easy, and sometimes trivial, to deliver solutions that avoid these deficiencies.

Password Problems. Virtually from the start of specialization in computer-system security, the single weakest point has been the password. Generally, the choice of authentication methodology follows the path of least resistance, combined with an adherence to outdated principles with minimal evidential support.

NIST suggests that verifiers should not impose arbitrary composition rules (such as requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. In addition, they suggest that it should not be necessary for a user to change memorized secrets arbitrarily, other than with evidence of a breach. This completely undermines standard practices that require users to change their passwords every 30 or 60 days. In truth, a reasonably complex password combined with a second factor, such as a token or fingerprint, is more than adequate. There is no reason to change passwords unless there is evidence of a breach.

Moving to the Cloud

Security Responsibilities. Cloud providers have made security their top priority, and they are well-placed to attract the highest-quality talent to support their goals. This fact does not eliminate the requirement for users to manage and enforce security standards and procedures. However, it does make this job significantly easier because many aspects of security are the responsibility of the cloud provider. It is important to understand where responsibility for security lies for each element of the service.

Single Sign-On (SSO) vs. Federation

In any organization, allowing users a single password or authentication mechanism to access all internal services is the goal of SSO. However, many organizations fail to achieve even this basic standard. Multiple passwords abound, and users must manage multiple different identities with multiple different providers. Implementing SSO across different enterprises, and across solutions from multiple providers, is the task of federation. In truth, federated identity is essential in a cloud environment. Federated authentication means that a single directory can be designated for authentication and a trust relationship established with any other directories in use, including those in the cloud. This provides a single point at which to establish password rules and to add and remove users.

Such steps are a clear benefit for the management of both users and user passwords. In an ideal situation, a user will have a single password (and possibly a secondary authentication token) that will allow access to every system that an organization uses, both on-premises and in the cloud.

Systems Integration and Security. Standards for security not only must be applied to individuals, but also to the integration of third-party systems. Cloud services provide extensive web-service application programming interfaces routinely. Creating services that combine the capabilities of multiple systems will require secure integration of services from different providers with different design methodologies. In general, it is inappropriate to use password-based authentication for systems-to-systems access; digital certificates are preferred.

Certificates are a more-robust solution, but carry additional complexity and management challenges that have hindered adoption. Nonetheless, in a cloud-based world that requires federated identity, they are essential, and represent the primary method for authentication.

Finally, integration of on-premises and cloud solutions should begin with the assumption that cloud services can never make calls through the firewall to on-premises systems. Building solutions that are based on pushing data to the cloud is essential. While this sort of development initially seems more cumbersome, the reality is that it imposes very few restrictions on operational models.

This article, written by JPT Technology Editor Chris Carpenter, contains highlights of paper SPE 191563, “Cyber Security, the Cloud, and Oil and Gas,” by Peter Black, SPE, EnergySys, prepared for the 2018 SPE Annual Technical Conference and Exhibition, Dallas, 24–26 September. The paper has not been peer reviewed.

The Cloud Offers Opportunity for Oil and Gas Cybersecurity

01 August 2019

Volume: 71 | Issue: 8